Pom updates to address issue ESAPI#847 (ESAPI#848)

* Close GitHub issue ESAPI#847.
1. Update pom to latest version of compatible dependencies and plugins.
2. Remove commons-io:commons-io:2.15.1 previously needed for convergence as Commons FileUpload no longer requires it and AntiSamy 1.7.5 now uses 2.15.1. So we no longer need to explicitly load it for convergence to succeed.

* Minor documentation tweaks to esapi.tld.

Author: kwwall

pom.xml

@@ -134,9 +134,9 @@
         <version.findsecbugs>2.0.0-M3</version.findsecbugs>
         <version.fluido>2.0.0-M9</version.fluido>
         <version.powermock>2.0.9</version.powermock>
-        <version.spotbugs>4.8.5</version.spotbugs>
-        <version.spotbugs.maven>4.8.5.0</version.spotbugs.maven>
-        <version.surefire>3.2.5</version.surefire>
+        <version.spotbugs>4.8.6</version.spotbugs>
+        <version.spotbugs.maven>4.8.6.2</version.spotbugs.maven>
+        <version.surefire>3.3.0</version.surefire>
         <project.java.target>1.8</project.java.target>
             <!-- TODO: Be sure to update. Should be date of previous official release -->
             <!-- Exact date in the form 'yyyy-dd-yy 00:00:00' should be used. You can find the previous release date -->
@@ -233,7 +233,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>
-            <version>4.5.0-M1</version>
+            <version>4.5.0-M2</version>
         </dependency>
         <dependency>
             <groupId>org.apache-extras.beanshell</groupId>
@@ -243,7 +243,7 @@
         <dependency>
             <groupId>org.owasp.antisamy</groupId>
             <artifactId>antisamy</artifactId>
-            <version>1.7.5</version>
+            <version>1.7.6</version>
             <exclusions>
                 <!-- excluded because we directly import newer version below. -->
                 <exclusion>
@@ -274,21 +274,6 @@
             <version>1.4.01</version>
         </dependency>
 
-        <!--
-             FORCE SPECIFIC VERSIONS OF TRANSITIVE DEPENDENCIES EXCLUDED ABOVE.
-             This is to force patched versions of these libraries with known CVEs against them.
-        -->
-        <dependency>
-            <!-- We include this, because Commons File Upload still includes an
-                 old one, but AntiSamy 1.7.4 includes a newer one (2.14.0), which causes the goal
-                 org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce to fail
-                 in DependencyConvergence.
-            -->
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.15.1</version>
-        </dependency>
-
         <!-- SpotBugs dependencies -->
         <dependency>
             <groupId>com.github.spotbugs</groupId>
@@ -423,17 +408,17 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-dependency-plugin</artifactId>
-                    <version>3.6.1</version>
+                    <version>3.7.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-release-plugin</artifactId>
-                    <version>3.0.1</version>
+                    <version>3.1.0</version>
                 </plugin>
                 <plugin>
                      <groupId>org.codehaus.mojo</groupId>
                      <artifactId>versions-maven-plugin</artifactId>
-                     <version>2.16.2</version>
+                     <version>2.17.0</version>
                      <configuration>
                          <rulesUri>file:${project.basedir}/versionRuleset.xml</rulesUri>
                      </configuration>
@@ -488,7 +473,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-clean-plugin</artifactId>
-                <version>3.3.2</version>
+                <version>3.4.0</version>
             </plugin>
 
             <plugin>
@@ -543,7 +528,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-enforcer-plugin</artifactId>
-                <version>3.4.1</version>
+                <version>3.5.0</version>
                 <dependencies>
                   <dependency>
                     <groupId>org.codehaus.mojo</groupId>
@@ -553,7 +538,7 @@
                   <dependency>
                     <groupId>org.codehaus.mojo</groupId>
                     <artifactId>animal-sniffer-enforcer-rule</artifactId>
-                    <version>1.23</version>
+                    <version>1.24</version>
                   </dependency>
                 </dependencies>
 
@@ -636,7 +621,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
-                <version>3.4.1</version>
+                <version>3.4.2</version>
                 <configuration>
                     <archive>
                         <manifest>
@@ -648,9 +633,9 @@
             </plugin>
 
             <plugin>
-               <groupId>org.apache.maven.plugins</groupId>
-               <artifactId>maven-javadoc-plugin</artifactId>
-               <version>3.6.3</version>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+               <version>3.7.0</version>
                <configuration>
                  <source>8</source>
                  <doclint>none</doclint>
@@ -668,19 +653,19 @@
             <plugin>
               <groupId>org.apache.maven.plugins</groupId>
               <artifactId>maven-jxr-plugin</artifactId>
-              <version>3.3.2</version>
+              <version>3.4.0</version>
             </plugin>
 
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-pmd-plugin</artifactId>
-                <version>3.22.0</version>
+                <version>3.23.0</version>
             </plugin>
 
             <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-project-info-reports-plugin</artifactId>
-               <version>3.5.0</version>
+               <version>3.6.1</version>
             </plugin>
 
             <plugin>
@@ -694,7 +679,7 @@
                      The skin is referenced in src/site/site.xml. -->
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-site-plugin</artifactId>
-                <version>4.0.0-M14</version>
+                <version>4.0.0-M15</version>
                 <dependencies>
                     <dependency>
                         <groupId>org.apache.maven.skins</groupId>
@@ -755,7 +740,7 @@
             <plugin>
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
-                <version>9.2.0</version>
+                <version>10.0.2</version>
                 <configuration>
                     <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
                     <failBuildOnCVSS>1.0</failBuildOnCVSS>

src/main/resources/META-INF/esapi.tld

@@ -7,7 +7,7 @@
   ~ Enterprise Security API (ESAPI) project. For details, please see
   ~ <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
   ~
-  ~ Copyright (c) 2007 - The OWASP Foundation
+  ~ Copyright (c) 2007-2024 - The OWASP Foundation
   ~
   ~ The ESAPI is published by OWASP under the BSD license. You should read and accept the
   ~ LICENSE before you use, modify, and/or redistribute this software.
@@ -22,14 +22,16 @@
 	xsi:schemaLocation="
 		http://java.sun.com/xml/ns/j2ee
 		http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
-	version="2.0">
+	version="2.x">
 	<description>
 		OWASP Enterprise Security API (ESAPI) provides
 		a JSP Tag Library that supplies easy access to
 		encoding functionality in the form of JSP Tags and EL
 		functions. These can be used to properly escape user
 		supplied data at display time so that it cannot be used
 		in injection attacks like Cross Site Scripting (XSS).
+        This tag library applies to all of ESAPI 2.x versions. Its
+        interface hasn't changed since 2.0.
 	</description>
 	<display-name>OWASP ESAPI</display-name>
 	<tlib-version>2.0</tlib-version>